-
Notifications
You must be signed in to change notification settings - Fork 300
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs: Document auto-restart of pods on secret rotation #1648
base: main
Are you sure you want to change the base?
Conversation
Welcome @ewan-chalmers! |
Hi @ewan-chalmers. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
I have requested and am awaiting my addition to the kubernetes CCLA |
/assign aramase nilekhc |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: ewan-chalmers The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Looking at https://deploy-preview-1648--kubernetes-sigs-secrets-store-csi-driver.netlify.app/topics/auto-restart-on-rotation, I note that mermaid source is not rendered as a diagram in the mdbook output (as it is on github). Simplest thing is to remove the diagram, but I could also look into whether mdbook configuration can be persuaded to render mermaid diagrams. Looking at
I'll provisionally attempt to add mermaid support in this same PR with an update to docs/book/Makefile and docs/book/book.toml and see if the diagram renders in the preview. |
Well... that took a few more tries than I expected. The diagram now renders (FWIW - not a very exciting diagram) - https://deploy-preview-1648--kubernetes-sigs-secrets-store-csi-driver.netlify.app/topics/auto-restart-on-rotation#secretproviderclasspodstatus-custom-resource While doing this, I notice that we should probably upgrade mbook and mbook-toc versions (as well as this new mbook-mermaid). I had to go quite a way back in mbook-mermaid tags to get one that works with our mbook version. I'm happy to extract mermaid enabling into a separate PR or remove it altogether (along with the diagram src in this PR) if preferred. |
I'm unfamiliar with squashing commits and looks like there are loads of different ways to do so :/ |
- watch for updates to secrets and reload these in their runtime, or | ||
- be restarted to pick up the latest secrets when they change | ||
|
||
A solution such as [Reloader](https://github.com/stakater/Reloader) could be used to watch for updates to Kubernetes Secrets or ConfigMaps and restart pods when a change is detected. However, if secret values are mounted as volumes in the pods, that solution is not suitable. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From an official SIG-Auth project, should we be linking out to this in the formal docs?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems in tone a bit like a blog post for solving a particular problem, rather than a docs site entry. 🤔
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Per our discussion in the sync meeting, perhaps we keep, but just note that this is not (officially) supported or tested.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You could see this doc as a continuation from https://github.com/kubernetes-sigs/secrets-store-csi-driver/blob/main/docs/book/src/topics/secret-auto-rotation.md.
I aimed for similar tone.
That doc links to Reloader.
I'm open to suggestions.
My motivation here is that the solution I arrived at and implemented was
- not obvious based on existing resources
- fairly straightforward given the necessary pointers
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@benjaminapetersen I have added a note to the top of the doc. If this is not what you have in mind, could you suggest alternative? Thanks
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reading through the implementation details, I believe the controller restart will now generate twice the number of calls for the associated pod. The SecretProviderClassPodStatus
is only updated by the driver after it has updated the mounted content with the new secrets. By this point, we’ve already made
𝑂(number of secrets) calls to the external secrets store. When the controller restarts the pod, it will trigger a new mount operation, resulting in another
𝑂(number of secrets) calls. In my opinion, this essentially defeats the purpose of auto rotation.
/retitle docs: Document auto-restart of pods on secret rotation |
Co-authored-by: Anish Ramasekar <anish.ramasekar@gmail.com>
I may be misunderstanding, but I think you are pointing to a potentially undesirable consequence of this implementation rather than to something which defeats the purpose. The purpose is: if mounted secrets are updated, pod will be restarted; pod code does not need to handle dynamic secret updating. This does work. However, are you pointing to the fact that for one secret update operation in the secrets store, the driver will now read the secrets from there and create mount for the pod twice - because it does this again after controller restarts the pod? If so, do you agree it is not 'defeating the purpose' but rather a consequence which might be undesirable and so should be mentioned? I have proposed a caveat NOTE to that effect: 57cf852 |
Thanks for review @aramase |
SPC relationship
What type of PR is this?
/kind documentation
What this PR does / why we need it: Provides guidance for users of the auto-rotation feature of Secrets Store CSI Driver on how to implement optional auto-restart of workload pods when secrets are updated.
Which issue(s) this PR fixes (optional, using
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when the PR gets merged):Fixes #1647
Special notes for your reviewer:
TODOs: